function RequestSanitizer::sanitize

Same name in other branches
  1. 8.9.x core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::sanitize()
  2. 10 core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::sanitize()
  3. 11.x core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::sanitize()

Strips dangerous keys from user input.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The incoming request to sanitize.

string[] $safe_keys: An array of keys to consider safe.

bool $log_sanitized_keys: (optional) Set to TRUE to log keys that are sanitized.

Return value

\Symfony\Component\HttpFoundation\Request The sanitized request.

6 calls to RequestSanitizer::sanitize()
DrupalKernel::preHandle in core/lib/Drupal/Core/DrupalKernel.php
Helper method that does request related initialization.
RequestSanitizerTest::testAcceptableDestinationGet in core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php
Tests acceptable destinations are not removed from GET requests.
RequestSanitizerTest::testAcceptableDestinationPost in core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php
Tests acceptable destinations are not removed from POST requests.
RequestSanitizerTest::testRequestSanitization in core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php
Tests RequestSanitizer class.
RequestSanitizerTest::testSanitizedDestinationGet in core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php
Tests unacceptable destinations are removed from GET requests.

... See full list

File

core/lib/Drupal/Core/Security/RequestSanitizer.php, line 51

Class

RequestSanitizer
Sanitizes user input.

Namespace

Drupal\Core\Security

Code

public static function sanitize(Request $request, array $safe_keys, $log_sanitized_keys = FALSE) {
    if (!$request->attributes
        ->get(self::SANITIZED, FALSE)) {
        $update_globals = FALSE;
        $bags = [
            'query' => 'Potentially unsafe keys removed from query string parameters (GET): %s',
            'request' => 'Potentially unsafe keys removed from request body parameters (POST): %s',
            'cookies' => 'Potentially unsafe keys removed from cookie parameters: %s',
        ];
        foreach ($bags as $bag => $message) {
            if (static::processParameterBag($request->{$bag}, $safe_keys, $log_sanitized_keys, $bag, $message)) {
                $update_globals = TRUE;
            }
        }
        if ($update_globals) {
            $request->overrideGlobals();
        }
        $request->attributes
            ->set(self::SANITIZED, TRUE);
    }
    return $request;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.